Dissecting a Java Pikabot Dropper
Tags
| country: | Denmark |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Code Signing - T1553.002 Malware - T1587.001 Malware - T1588.001 Regsvr32 - T1218.010 Tool - T1588.002 Code Signing - T1116 Regsvr32 - T1117 |
Common Information
| Type | Value |
|---|---|
| UUID | 6567a853-35ca-424a-a1d8-4bd9f7a93e4c |
| Fingerprint | 35da7b2e06a38689 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 3, 2024, midnight |
| Added to db | Aug. 31, 2024, 6:55 a.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | Dissecting a Java Pikabot Dropper |
| Title | Dissecting a Java Pikabot Dropper |
| Detected Hints/Tags/Attributes | 37/3/24 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://forensicitguy.github.io/dissecting-java-pikabot-dropper/ |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 124 | ✔ | Tony Lambert | https://forensicitguy.github.io/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 93 | bazaar.abuse.ch |
|
| Details | Domain | 1 | kzfraqve.java |
|
| Details | Domain | 138 | java.io |
|
| Details | Domain | 14 | ssl.com |
|
| Details | File | 1 | voluptasyk.jar |
|
| Details | File | 1 | x2nqldqv.gif |
|
| Details | File | 1 | kzfraqve.java |
|
| Details | File | 1 | summary.txt |
|
| Details | File | 11 | io.tmp |
|
| Details | File | 1 | 317631.png |
|
| Details | File | 1 | %temp%\317631.png |
|
| Details | File | 1 | c:\users\admin\appdata\local\temp\317631.png |
|
| Details | File | 459 | regsvr32.exe |
|
| Details | md5 | 1 | f32839de7b3209090778a9a4c5e14cce |
|
| Details | md5 | 1 | 370ebde54530b2016d14ffc9556403dc |
|
| Details | md5 | 1 | af6787be711f295a744c1832921c9ab2 |
|
| Details | md5 | 1 | 79695808028c2494541535419610a4e0 |
|
| Details | sha1 | 1 | ca33599617a5de46cb3e726d66eee9d48e5a78af |
|
| Details | sha256 | 1 | 0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f |
|
| Details | sha256 | 1 | aab9e3d3f923f7c17694df3bd395aea1112f87e63580c1762579c43056d3b2da |
|
| Details | IPv4 | 56 | 1.3.6.1 |
|
| Details | IPv4 | 5 | 11.60.2.1 |
|
| Details | IPv4 | 4 | 2.5.4.15 |
|
| Details | Url | 1 | https://bazaar.abuse.ch/sample/0a0e0d2f9daa0bad25c3defd69a3a6d96a6ac5f325a369761807c06887d3bd9f/. |